For years everything at home lived on one flat /24. The telly, the laptops, the homelab, the cameras, the IoT junk that phones home to who-knows-where: all on the same broadcast domain, all able to talk to each other, which is exactly the problem. A smart plug had no business being able to reach my NAS, and yet it could. So I finally split the network into VLANs, and it was more painful than it had any right to be, mostly because I was migrating it live rather than starting fresh.
The plan was sensible enough. A management VLAN for the infrastructure, a trusted VLAN for the machines I actually own and patch, an IoT VLAN for the things I don't trust an inch, and a guest VLAN. The managed switch could do 802.1Q tagging, the router could do inter-VLAN routing with firewall rules between them, so the design was the easy bit. The execution is where you learn things.
The lockout
First lesson, learned the hard way: do not reconfigure the switch port you're connected through without a plan to get back in. I moved the management interface onto the new management VLAN, the port I was plugged into stopped carrying my untagged traffic, and I lost the switch. No web UI, no SSH, nothing. The switch was working perfectly. It was doing precisely what I'd told it. I just hadn't told it to keep talking to me.
The recovery was a console cable and a torch, hunched over the rack reading the serial output, which is a very humbling way to spend a Saturday evening. After that I made a rule: any change to the switch goes in with a scheduled config rollback, so if I lock myself out it reverts in five minutes and I get another go.
VLAN 1 is a trap
Second lesson: the default VLAN is a liability. Most switches ship with everything on VLAN 1, and untagged traffic lands there. If you don't explicitly move management off it and prune it from trunk ports, you've left a flat network hiding inside your segmented one. I spent a confused half hour watching IoT devices reach things they shouldn't before I realised the trunk to the access point was happily carrying VLAN 1 alongside the tagged VLANs, and the AP's management was sitting on it.
DHCP, one scope at a time
Third, the bit that actually broke devices for users in the house: each VLAN needs its own DHCP scope, and the moment you cut a device over to a tagged VLAN it needs an address from the right pool. I did this in stages, one VLAN at a time, evenings only, with the old flat subnet still live as a fallback. A device would move, fail to get an address because I'd fat-fingered the scope's interface binding, and someone would shout up the stairs that the WiFi was broken. It wasn't broken. It was segmented, which from the sofa looks identical.
Was it worth it
Yes, plainly. The IoT VLAN can reach the internet and nothing else inland. The cameras talk to the NVR and to nobody. When the next consumer gadget turns out to have a hardcoded password and a chatty habit, it's already in a box that can't see anything worth taking. The migration cost me two evenings and one serial-cable indignity, and I'd do it again, just not live. Next time I build the new network in parallel and move things over deliberately, rather than rewiring the plane mid-flight.